Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-users] snort and squid

from [Joel Esler] Network Security [Permanent Link]
Subject: Re: [Snort-users] snort and squid
Date: Thu, 17 Jan 2008 10:36:29 -0500 
You have two options.  Correlate the events with the logs from your  
Squid proxy, or move the Snort sensor inside the proxy.

Sometimes (and right now I can't remember if Squid does it) it will  
add a header to the http that says "X-Forwarded-For" or similar that  
will have the IP of the actual client.  However, like I said, I can't  
remember if Squid does that for you, and that would be the only way  
that you can see the IP behind the proxy.

Joel

On Jan 17, 2008, at 5:46 AM, Helmut Schneider wrote:


Hi,

I'm using snort 2.7 on two machines, one at a hub next to the router  
and the
firewall and since yesterday a second sensor on my proxy (squid). All
web-traffic must go through the proxy.
The first sensor gives information about e.g. that one uses google  
desktop
but does not say which client (of course, as source is the proxy).  
So I
installed snort as a second sensor on the proxy but without success.  
The
alerts the first sensors finds are not found on the second sensor  
(the squid
protocol might differ from HTTP).

Is there a way to configure snort to reveal which exact client  
"breaks"
policies?

Thanks, Helmut


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-users] snort and squid, Helmut Schneider
Next by Date:  Re: [Snort-users] snort and squid, Helmut Schneider
Previous by Thread:  Re: [Snort-users] snort and squid, Helmut Schneider
Next by Thread:  Re: [Snort-users] snort and squid, Helmut Schneider
Indexes:  [Date] [Thread] [Top] [All Lists]